System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 




System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



CM 
CD 
CM 




CD 
CM 



CD 

p 



cz 

■— "O 

"o _£> 
Q- co 

CD ~ 

o cz 
cz — 

CD 

cz 

CD 



CD 



1— 




o 




o 




1 




CO 


cz 


LU 


_o 


CO 




CO 


CZ 


< 


ZD 


— 1 


Li- 


o 

f 


ra 


KEY 


CZ 

"o_ 

CD 


□= 




CD 




.M 




_~CD 








"E 









I 




cz> 

CM 



CD 
CD 



CD 
CZ 

~o 

Q_ 

CD 
O 
CZ 
CD 
CZ 

-82 

"CD 

CD 
CD 



CM 

CD 




CM 



CD 
CM 



CD 

ZD _ 

a Q 

cd <r 

CD CZ 

.bJ z5 
75 



CD 
O 



O 



o 
o 

to 

"CZD 
CD 
(XL 



tz: 

_CD 
< 

CD 
-Q 

O 

cl 

"cd 
cz 
cp 

CO 



CO 
CM 



2? 

CD 
Z3 

a 

CD 
CZ 

"o_ 

CD 
CD 



CZ 

o 
O 



T — 

CM 



o 

O LO 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



CZ> 
CO 



-3- 
co 



E 




CD 




to 








CO 




CD 


CO 
CD 


cz 






_CZ 


CO 


1 — 


Ope 


m©nt 


-92 


o> 




CD 




CO 


CO 


0/S 


GL 
CD 


to 

















55 £ 

0 ■£ 

^ ZD 
O Ll_ 

1 s> 

'Cl 
Ql 
CO 



CD 
Nl 




co 



o- 
cz 
.o 

*co 

is 
"go 
cz 

To 



CM 
CM 



CO 

.s o § 



.-t=i X CO 
CZ CD ^> 
O 



co 



Csl 

co 




CO 

CD 



o 

CL. 

CD 
O 

cz 
co 
cz 

CD 



CO 



CD 

"co 




CO 



-9? 


X 


iZ 


*1— . 

"co 


CD 




CD 


>^ 

CO 


o 




CO 


< 






o 


o 




E 




CD 






oa 


O 


\ 


"cz 



CO 





CD 




CD 


lidal 




"o_ 






CL 






Ma 

lVICl 


o 


oot 


-92 


tion 


u_ 


Lu 




o 




<D 


cz 


iZ 


M 


Z3 


JCZ 


75 




Eac 




CD 




Qu 





CO 
CO 

u 



CO 

_o 

o 



o 
o 



CO 

CD 








CD 




< 




be 


ion 


2 


o 


CD- 


un 


IS 




cz 




CD 




CO 





CO 



CD 
Z3 

a 

CD 
CZ 
"CL 
Cl 
CO 



CD 
Z3 



CZ 
O 

o 



co 



o 

_o co 

m 55 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



V 



o 

CM 















Q_ 


"O 


"O 


CD 




CD 


"JE 




\— 


_CZ 
h~ 


"cd 








"2 


CD 


CD 


E 


CL 




CD 


CD 


CO 


CD 




^ — » 




CZ 









CD -2 

2 o 

CD 9- 

ro < 



to 



o- 
c: 
.0 

J5 

"S3 
cz 

"CD 



CZ) 
CN 
CN 



0 
5- 



CD 



CD 

cz 

"o CD 
Q_ CD 

CD ~ 
O cz 
cz 

CD 

cz 
-S3 

"CD 





cz 




0 






CO 


"0 


IX 


un 


"O 


LL. 


LEE 

h- 


CD 

cz 










MO 


Ma 


pu| 


_cd 


z? 


iZ 


CD 




_M 


Z3 


Id 






CD 


"cz 


-t— ' 
CO 







= EE 

U 

— "o_ 

O =? 
CO ^ 

<C iS 
-a CO 

CD = 

55 



I 











CD 


CZ 


D_ 


.0 


~o 

s 


"0 


Thi 


Fun 


[cz 


ing 




Q_ 




CL 




CD 


CD 




M 






iZ 






'cz 









1 H 



CN 



CNI 

5- 













LZ 


!e 


[EE 


_CD 




LZ 








O 


0 


AS 


ory 


Load 


Mem 


DO 





E 



^3- 



CD 
CD 



CD 

CZ 

~o 

CD 
O 

cz 

CD 
CZ 

-2 

"CD 

CD 

-I — » 

CD 



^1- 







CD 




< 




CD 


ion 


2 






un 






cz 




o> 




CO 





2? 

CD 




CO 

5- 



LO 



o 
,0 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 




Initialize Message Signaling 
Independent 32 API DLL "Hook" 



505 



Set System Message Filter 
with WH SYS MSG FILTER 



Mouse Movement 



Dialog, Menu, List Box 



Feedback Message 



510 



-515 

-520 
525 



r 



530 





► 


Over 150 Possible Messages 






Set System Message Filter with WH_CBT ^535 








► 


10 Possible System Messages 



Initialize Filter Function 
to Analyze Received Messages 



545 



FIG. 5 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



No 



Initiate Probe Utility Application 



200 



Initiate Parallel Polling Thread 
for Window Handle Listing 



605 



610 



Initiate Function to Load Each 
Active Handle into a Memory Array 



Send a WM_QUIT 
Communications Signal 
to a Window Handle 



615 



Yes 



r 



620 



Initialize 32 Bit API DLL "KILL APP" Function 



625 



Send WM_QUIT Message to the Active Window Handle 



630 



Active Window Handle (Program) Terminated 



FIG. 6 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



Main Probe Thread Initialized 



700 



Registry Thread - Figure 2 



705 



Classes_Root ASC File 



CurrentJJser ASC File 



LocaLMachine ASC File 



Users ASC File 



-710a 
710b 
-710c 
- 710d 



O/S "Start-up" - Figure 3 



715 



O/S Window Directory 



Autoexec.Bat, Config.sys 



720a 
720b 



Third Party Applications - Figure 4 



^725 



Map Start-up Directory to ASC File 



All ".ini" Files into ASC File 



730a 
730b 







Files are Stored into Next Sub-Directory for 
Probe Retrieval and Update 


— 740 






1 








Has a Signal Been Received to Transfer Data 
to Monitor Station? 


--745 




r 






Transfer Data — 750 





FIG. 7 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



Administrative Application 
is Initialized 
115 



Network 



J 



120 



J 



802 



Main Application Thread 
is Initialized 



r 



805 



Polling Threads are 
Initialized to Receive 
Data from Probe 
Workstations 



No 



I 



810 



User Requests Update 
from Probe 



Yes 



815 



Signal File is 
Transferred to 
Production Network 
Directory 



820 



Data is Received and 
Populated into 
Monitor Station 



L 



825 



Network 
Production 
Directory 



No 



Utility Application 
(Probe) 
110 



f 



r 



830 



Parallel Threads are 
initialized and Data is 
Stored - See Figure 7 



J 



835 



Thread is Initialized 
to Query Production 
Network Directory for 
Possible Signal 



840 



Signal File from 
Monitor Exists in 
Network Directory 



Yes 



1 



845 



All Stored Data is 

Transferred to 
Network Production 
Directory 



FIG. 8 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



Probe is Initialized 



All Data is Recorded 
and Stored - See Figure 7 



200 



905 



910 



i 



I 



Registry Queue 
Thread 



915 



Check Each 
Entry for 

any Possible 
Change 



920 



No 



Is There a Change? 



Yes 



925 



O/S Thread 



930 



Check Each 
Entry for 

any Possible 
Change 



935 



No 



Is There a Change? 



Yes 



940 



Third Party Applications 
Thread 



945 



Check Each 
Entry for 

any Possible 
Change 



950 



No 



Is There a Change? 



Yes 



Signal Probe Alert Function and Transmit 
Penetration to Monitor Station 



-955 



FIG. 9 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



Probe is Initiated 



200 



All Data is Recorded 
and Stored - See Figure 7 



1005 



1010 



1025 



Registry Queue 
Thread 



O/S Thread 



1015 



Check Each 
Entry for 

any Possible 
Change 



1020 



No 



Is There a Change? 



No 



r 



1040 



Third Party Applications 
Thread 



1030 



Check Each 
Entry for 

any Possible 
Change 



1035 



Is There a Change? 



Yes 



1045 



Check Each 
Entry for 

any Possible 
Change 



1050 



No 



Is There a Change? 



Yes 



Yes 



Reversal Function is Initiated and Receives 
"Parameters" of the Type of Change and 
Reverses the Registry, O/S File or Start-up 
File Back to its Original State and Kills 
Window Handle in Memory 
(See Figure 6) 



1055 



FIG. 10 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



1100 



SOT [CR] [LF] 
Date=CCYY\MM\DD [cr] [If] 
Time=HH : MM : SS [cr] [If] 
3Wind=Variable Up To 500 Characters [cr] [If] 
2Wind=Variable Up To 500 Characters [cr] [If] 
1 Wind=Variable Up To 500 Characters [cr] [If] 
Mssg=Variable Up To 500 Characters [cr] [If] 
EOT [cr] [If] 



Structured Signal File Block Diagram 

FIG. 11 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 




CNJ 

CD 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



<3> 
CO 




to 
co 



o 

LO 
CO 



1 



8 


cal 




O 


CO 




—1 


>^ 




O 


Ph 


CD 






CD 






CO 


3 




s— 


CO 


_CD 


o 

— ' 


Da 


iZ 


CO 




O 




o 

CO 


CO 




< 











o 




H — » 




"c 




o 
















ata 




Q 








"E 




CO 




cz 











CO 
CD 



CD 



O 
Q_ 

CD 
O 
CZ 
CO 

CD 



CO 

*co 



LO 
LO 

CO 



CO 



CD 



CD 
CO 
CO 






LU 






i% 










CZ 






O 


— 










LZ 








LOG 

\A/AR 


mory 


< 






>-'£ 




CO 

o 


LU O 




— 1 







1 



LO 
t — 
CO 
x — 

A 



CO 



Q_ 
< 

s 

CM 
CO 



LU CD 
2 ^ E 

o g e 
< ^ > 

15 ^ 

CO 
CD 



a § > b_ £ 

s ^ ^ co 50 

-E .2 IE - . -E 



CO 



c 
o 



o 



CD 



cz 
o 



CO 

cz 
CO 



LO 
CM 
CO 



"35 

CD 
CD 

"o 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor; Robert F. Terry 
Serial No.: 09/827,891 



o 



H-3 

5 




LO 



1 





1— 












"c 




o 








B 






-> 


ata 












"1 




CO 








£ 







"O 
CD 
CD 



"o 

CL 

CD 
O 

CD 

~E 
"cd 



'cS 



LO 

to 



CD 



CO 



5- 



co 



-J 




o 


— 1 


o 


(/> 


Q 


< 


8 


API 


1 ft il 

L_M 


i\Mic 


CO 


CA 


LU 

OH 


CM 


o 




CO 






-2 






» 

"c 


toQi 
Hl\t 
:S0 



CD 

E 
cz 

2 
"> 



CD 
CD 

m 

CD 



CD 

U 



o- 

O 



CD 
O 



■o 
o 



~co 

"CO 
CD 



o 



CD 

CO 



LO 
CSJ 



to 

CD 



System And Method For Real Time Monitoring sinu 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



LO 
CO 
LO 



O 
O 



O 



CD .Jg 

*co 
o 

Q- =3. 

CD Q- 
CD 



-»— » 

.52 cz 
o> o 

CD "4= 

rv; o 

%§ 

MS 



CO 



cz 
.o 

is 

"55 
75 



CZ> 
C\| 
CNJ 



o 

LO 



-1 



O 

o 

I 

CO 
LU 
CO 
CO 
< 



0)0 

N JQ 

^ ui ^ 

— X 



Q 

CO 
— I 

o 



o 
cz 



CD 
CZ 

*o_ 

CL 
CO 



I 



LO 
LO 



1 



8 



CD 
CD 



CO 

o 55 
— ' 

CO CD _S 
CD t=z ?X 

(T LL 09 
CD = 

**8 



CO < 



LO 
LO 

A, 



CO 

* 

CO 

Q 
"1 

CO 

cz 

CO 



CO 
CD 



,cz 

~o 
a. 

CD 
O 

cz 

CO 

cz 

CD 
-* — > 

cz 

CO 



T 



LO 
LO 
LO 



CD 
LO 



CD 
CO 
LO 



1 



CO 



CD 
.CZ 

"o 

CL 

CD 
O 
CZ 
CO 

cz 

CD 

•4— » 

CZ 

"co 



o 
o 
or 

cz f 
o CO 
CD UJ 

< .iQ a> 

ui 55 ^ 



o 
E 



1 



LO 
LO 

I 



co I — 



< 



I 

o 
o 
or 

i 

CO 

LU 

CO 

CO 

< 
i 



CD 



CZ 

LU 
CD 



CNJ -J 

CD CD v ' CD 

I SQ 53 ^ 



CZ) 
CNJ 
LO 

u 



d 

.o 

CO 

o 

"*o 

o 



CO 

o> 

CD 

or 



cz 
o 



CO 

cz 
CO 



LO 
CM 
LO 



co 

CD 

cr: 

"o 
Q_ 



Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



cd 
co 




CO 



CD 

LO 
CO 



CD 
CD 
CXI 



CO 




o 
-J 

C/5 



CD 

o 



CO 




o 
















Q_ 


CD 




CD 


,0 


CO 


_a> 


O 


LZ 


CO 


O 




CO 




< 





1 

















"cz 




o 








o 








ata 








» 

E 




to 




c: 




CO 




1— 



CO 
CD 



CD 

"o 

CL 

CD 
O 

CO 
£Z 

o 
"co 

"co 



LO 
LO 

CO 



o 




CO 




CO 






onitor 






— ► 


Signal 



CO 

CD 

UL 




System And Method tor Keai 1 ime monitoring s±nu 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



CD 



uo 

CO 



CD O 

CD 

._g o 



ii 

o ^ 
O a> 
a> — J, CO 

.2 UJ *g 



.o 

*o 
cz 
zs 
Li- 
ra 



CO 



CO 



.2 o 

CD = 2 
lZ CD Q. 

O CO < 



LO 



cd 

LO 



1 



8 8 

-2 £ „ 

CO i— CD 

±: o 

CO CD _2 

CD -— ro 
Ll_ 

CD = 

CO < 



cz 
o 



-2 
~c6 

Q 
E 

CO 




T3 
CD 
CD 



05 

cz 
"o 

Q_ 

CD 
O 

cz 

CO 

cz 

-S3 
cz 

"co 



-2 



LO 
CD 



LO 
LO 



CD 
CO 



LO 



CD 



CO 

p 



CO 

cz 
"o 

CL 

8 

cz 

CO 

cz 

-ffi 

cz 
"co 



CO 



o 

CD 



LU 



o 
co 



O 

CO 

o 



< 

O 

O 

j 

I 



>- 

W o 



o 
E 

— - CD 
CO 

.S2 .Q o 
£2 £ "S 

CD 5: — 

> 3 -o 

C X CD 

c LU > 

CD = o 

kZ CD CL 
Z3 JC Q. 
O CO < 



1 



CD 
Z3 

O LU 
O 2 

H — » — 

—I O 
Q < 

< _i' 
~ < 

QQ O 

Csj O 
CO -I 

>" 

CO UJ 



c 

CD 

£ E 
1 I £ 

C >< LU 
E C CD 



1-1 



CO 



CD 
CM 

u 



o- 
cz 
.2 

"cS 
o 

o 



CO 

"co 

CD 

or 



cz 
o 



CO 

cz 

CD 
CO 



LO 
CM 



co 

"CD 
CD 

— 



System Ana meinou 

Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 




oo 
CD 



System Ana meinoa ror mui ± unt, i«w*H V i 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



CO 



LO 
CO 

co 



co o 

CD 

a: g 

.S3 O 

















"CO 














cz 




LU 


o 
-o 

cz 




ictio 




m 


^ 




t_ 




o 


o 




LU 




< 




CD 






CO 




CZ 




J 




"cz 


"o. 






o 


o 


CL 


CD 


LOCA 


are\Mi< 


t Versi< 


ice Ma 


ializ 


EY 


oftw 


rren 


o 

cz 






CO 




Z3 


"cz 




o 





LO 
CO 



CD 
LO 
CD 



1 









CO 


CO 




o 


o 




o 


"co 










o 


-IZ 

Q_ 


CD 


CO 




CD 


_ 




CO 








CO 


_CD 


-2 


Ke 


LZ 


CO 








o 

-J — • 


OS 




CO 


< 











o 








"cz 




o 








o 








ata 




Q 




"E 




CO 




cz 




CO 







CO 
CD 



CO 
CZ 

~o 

CL 

CD 
O 
CZ 
CO 

cz 

CD 
-i — » 

cz 
"co 

CD 
-t — • 

CO 



LO 
LO 
CO 




CD 



CD 



System And Method tor Real 1 ime Monitoring Ana 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 












cz 






"c75 




o 














LU 


o 
■o 




nc 






cz 




Z3 




IACHI 


oftWVi 




LL. 

CD 
CZ 

"q. 




J 


SOJ 


cz 


CD 




< 


o 


o 






o 
o 




"co 


X 




*cd 


1 


LU 

CD 


CD 


i 


CD 




O 


ializ 


£Y_ 


oftw 


rren 


CZ 

O 
cz 






CO 


Z3 


Z3 


"cz 


3= 




o 





LO 

o 

CM 



1 



CD 

lo 

cz> 

CM 



A 









CD 


CD 




O 


O 




O 


CO 




_J 






o 

-t — ' 


a! 


CD 






CO 


— 




CD 








CO 


_CD 


O 
-* — » 


Ke 


LL 


CO 


CD 








o 




CO 


CO 




< 





1 





\ 




o 




-* — » 




"cz 




o 








o 








ata 












H 




CO 




CZ 




CD 











"CJ 
CD 
CD 



CO 
CZ 

"o 
a. 

CD 
O 
CZ 
CD 
CZ 

CD 
-i — » 

CZ 
"CD 

CD 
CD 



-J 



LO 
LO 
CZ> 




CD 
CM 

CD 



CZ5 
CO 
CZ> 
CM 



LO 

CM 













CD 




*co 


X 




ZJ 






LU 




a 


LU 


o 


CD 


-*— * 






"O 
CZ 


O 
CZ 


CZ 
CD 


i 






O 


E 


i 


o 




CZ 


CZ 


Q 


< 


Z3 


o 


API 




cros< 


on\R 


Envi 


32 Bit 


LOCfr 


are\Mi 


t Versi 


Time 


itiate 


KEY 


o 

CO 


urren 


Real 


CZ 


3= 




o 


CZ 



CO 



CZ> 
CM 
C=> 
CNJ 



cz 
o 



CD 
O 



O 



-4— » 

CO 

"co 

CD 



o 

"cz 
o 

_ 

CZ 
CO 

CO 



LO 

CM 

o 

CM 



~co 

CO 
CD 

en 

_ 



System And Method tor Keai i imc ±v±xj f ^. 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



o 

C\J 



o 

CNJ 



to 

CO 
CNJ 



"co 

"CO O 
CD "43 

CD 

<D = 
-tzf o 
■j| o 

"cr 



DC 

m 

CO 
ID 

. I 



LLf 

or 



CD O - 
~ >- § 

.55 uj 



& 

,o 

*-l — I 

o 
cr 

u_ 

co 
cr 

*CL 
CL 
CD 



1 



C\J 



1 



03 CD 
O O 

9 "io 



~ .P 



CO 
CD 



W 0 o 
QT U_ 00 
CD = 



o 

LO 



CNJ 

A. 



CO 

o 



-H 



CD 
CD 



CO 

cr 
~o 

CL 

8 

cr 

CD 
CT 
CD 

» 

cr 

"CD 

CD 
■ 

CD 




LO 
LO 



CNJ 



to 



CNJ 

CD 



£ LU 



CD 

E 



cl 2: 

< LU 

S DC 

oo O 



-g >-' J 
F ^ CO 



> 

LU 

CD 

E 

CO CD 
5* CD 
QC 
CO 



CD 
CNJ 

CNJ 

VJ 



CO I — 



CO 



o 

cr 
.2 

o 
o 



CO 

"co 

CD 

or 



o 




CO 








CNJ 










*cr 




o 








CD 




cr 




CD 




CO 



LO 
CNJ 

VI 



"55 

CO 
CD 

s 



+ 



System And Method For Real Time Monitoring Ana 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 




system Ana Method tor Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



Initiate Monitor 
Station 115 



2300 



Initiate a Series of 
Threads 



2305 



2310 



2l 



First 
Parallel 
Thread 



Query and Gather 
Configuration Data 



2315 



I 



Analyze the 
Configuration Data 



2320 



2l 



I 



Store the 
Configuration Data 



V 

CED 



2325 



Second 
Parallel 
Thread 



Query and Gather 
Forensic or 
"Penetration 
Pattern" Data 



2330 



i 



Store Forensic 
or Penetration 
Pattern Data 



2335 



Display Forensic 
or Penetration 
Pattern Data 



Third 
Parallel 
Thread 



L 



2340 2345 



Send 
Configuration 
and Operational 
Policy Structured 
Signal Files 
to Client 
Application 110 



CED 



Fourth, 
Fifth, and 
Sixth 
Parallel 
Thread 



Control Signals 
to Terminate 
Client 
Application 110 



CED 



FIG. 23 



System And Method For Real Time Monitoring And 
Control Of Networked Computers 
Inventor: Robert F. Terry 
Serial No.: 09/827,891 



Compare Each Unauthorized Modification with 
Forensic Data 



2400 



Analyze Window Handle State of Each 
Computer Unit when the Unauthorized 
Modification Occurred 



2405 



Develop and Deploy a Policy Throughout 
the Network System to Stop Unauthorized 
Modification in Each Computer Unit 



2410 



FIG. 24 



